From $URL: Summary ======= Bugzilla is a Web-based bug-tracking system used by a large number of software projects. Recently, Mozilla expanded its security bug bounty program to include web applications (http://www.mozilla.org/security/bug-bounty.html). As a result, several new security issues affecting Bugzilla were discovered: * A weakness in Bugzilla could allow a user to gain unauthorized access to another Bugzilla account. * A weakness in the Perl CGI.pm module allows injecting HTTP headers and content to users via several pages in Bugzilla. * The new user autocomplete functionality in Bugzilla 4.0 is vulnerable to a cross-site scripting attack. * The new automatic duplicate detection functionality in Bugzilla 4.0 is vulnerable to a cross-site scripting attack. * If you put a harmful "javascript:" or "data:" URL into Bugzilla's "URL" field, then there are multiple situations in which Bugzilla will unintentionally make that link clickable. * Various pages lack protection against cross-site request forgeries. All affected installations are encouraged to upgrade as soon as possible.
Torsten, thank you for being on top of the bump. Can we stabilize the new packages, and should we stabilize both 3.2.10 and 3.4.10? Thanks!
Please stabilize 3.2.10 and 3.6.4. 3.2.10 : alpha amd64 ia64 ppc ppc64 sparc x86 3.6.4 : alpha amd64 ia64 sparc x86 ppc ppc46 # bug #346403 3.2 and 3.4 suffer from the "defined(%hash) is deprecated" perl-5.12 warning. Unless somebody requests a patch, i'm happy to ignore it because 3.2 will be end-of-life soon (with the release of bugzilla-4) and 3.4 was never stable.
amd64 done
x86 stable
ppc done
ppc64 done
alpha/ia64/sparc stable
Thank you, everyone. GLSA Vote: no.
Vote: YES, because I think people would like to know if there is an update needed because of: * A weakness in Bugzilla could allow a user to gain unauthorized access to another Bugzilla account.
CVE-2011-0048 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0048): Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 creates a clickable link for a (1) javascript: or (2) data: URI in the URL (aka bug_file_loc) field, which allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI. CVE-2011-0046 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0046): Multiple cross-site request forgery (CSRF) vulnerabilities in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allow remote attackers to hijack the authentication of arbitrary users for requests related to (1) adding a saved search in buglist.cgi, (2) voting in votes.cgi, (3) sanity checking in sanitycheck.cgi, (4) creating or editing a chart in chart.cgi, (5) column changing in colchange.cgi, and (6) adding, deleting, or approving a quip in quips.cgi. CVE-2010-4572 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4572): CRLF injection vulnerability in chart.cgi in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the query string, a different vulnerability than CVE-2010-2761 and CVE-2010-4411. CVE-2010-4568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4568): Bugzilla 2.14 through 2.22.7; 3.0.x, 3.1.x, and 3.2.x before 3.2.10; 3.4.x before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2 does not properly generate random values for cookies and tokens, which allows remote attackers to obtain access to arbitrary accounts via unspecified vectors, related to an insufficient number of calls to the srand function. CVE-2010-4567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4567): Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 does not properly handle whitespace preceding a (1) javascript: or (2) data: URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the URL (aka bug_file_loc) field.
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in GLSA 201110-03 at http://security.gentoo.org/glsa/glsa-201110-03.xml by GLSA coordinator Stefan Behte (craig).